Tuesday 17 November 2009

The T-Mobile “Defense”

An old English proverb tells us that “There are none so blind as those who choose not to see.” Today T-Mobile are in the news for insiders selling-on customer personal data against U.K. Data Protection Legislation. T-Mobile claim the data was sold "without our knowledge".
The key word in this excuse is "knowledge".
  • What did they know about their data and the way it is/was used?
  • What did they know about the data leak?
  • What do they know that they are not telling us?
  • Did they, in fact, have any actual knowledge or did they simply choose not to look?
This is another case of a global organization simply choosing not to invest in processes or technologies to control data and database access. Having such security systems and publicizing them amongst staff are a powerful deterrent and are effective in cutting insider data breaches.
The UK information commissioner Christopher Graham is advocating custodial sentences for this type of abuse of personal data. Until there is sustained public understanding resulting in political pressure I doubt this will ever become a reality in the near term.

Perhaps it is not just T-Mobile who choose not to see – maybe it is us, the people, who let our personal information float freely, without truly understanding how it is used.

Wednesday 11 November 2009

SQL injection sees a big payout

Yesterday, prosecutors in Atlanta announced indictments against an alleged crime ring from Eastern Europe. The achievements of their hackers point to frightening means of financial data theft. According the reports, the hackers attacked payment processor RBS WorldPay, cloned prepaid ATM cards, and used them to withdraw cash totaling $9 million from 280 cities globally. These attacks took place in November 2008, and the timing is significant given that similar breaches of card data were occurring via SQL injection attacks.

In the Spring of 2008, fully automated SQL injection attacks were spreading rapidly – but the reports were focused on the visible outcomes and listed them as “i-frame attacks” rather than their root-cause of a database attack. At the time we warned that SQL injection attacks were both increasing and becoming more severe, moving to attacks whose purpose was to serve as much malicious code on as many web sites as possible. In the few months between that time and November 2008, the attacks moved beyond proof of concept and annoyance hacks to direct database manipulation and fraud. One year later, our call to action remains the same: all companies need to address the vulnerabilities the web environment poses to their databases. We recommend additional security precautions be added, so that SQL injection attacks are blocked, ensuring that the database cannot be used directly to mount a costly and embarrassing data breach.

Thursday 5 November 2009

First the telecos …?

Today brings news that the EU will require telecommunications companies to inform affected parties on data breaches. Although some would argue (and are arguing) that this measure should extend to all businesses – and we agree, eventually – the EU measure is a critical first step. Since the telecommunications companies and service providers have online components as well as the means to store vast amounts of customer data, starting measures with these groups makes sense.

We fully expect data protection measures to extend to different business types and industries, but these extensions should be done in a measured, controlled manner. The very worst thing that the EU could do is impose broad, blanket data protection measures that would affect all industries immediately. Historically, these measures (for example Sarbanes-Oxley in the United States) have created compliance costs and headaches that can be as difficult to maneuver as the problems they were intended to solve.

Rather than bemoan the fact that the measures are starting with the telecos, let’s look to this an important first move that is being done correctly and gives all businesses time to prepare for the inevitable cross-industry data protection measures that will emerge in the coming years.